[erlang-questions] ssl server multiple certificates

Ingela Andin ingela.andin@REDACTED
Tue Oct 29 14:51:09 CET 2013


Hi!

2013/10/29 Andreas Schultz <aschultz@REDACTED>

> Hi,
>
> ----- Original Message -----
> > Hi,
> >
> > I would like to have some feedback about the API modification.
>
> Ingela is the authority to ask, so just my 2 cent here....
>
> > * Client side
> > No modification, SNI is used if the connection endpoint is a hostname,
> > not an ip address.
>
> Like that
>
>
Feels good and should be ok as unknown extensions should be ignored.



> > * Server side
> > A new "sni_hosts" option can override ssl options on a per-hostname
> > basis: for exemple one can override the default certificate for the
> > vhost1.example.com hostname with the following ssl option:
> > {sni_hosts, [{"vhost1.example.com", [{certfile, "vhost1.pem"},
> > {keyfile,"vhost1.key"}]}]}
>
> What about just 'hosts', the fact that is uses SNI does not really matter.
>
>
I agree with Andreas on this point, SNI is an implementation detail.
Maybe virtual_hosts would be more describing of what it is actually used
for.



> > A new ssl:sni_hostname/1 function was added to get the wanted
> > hostname, for exemple in yaws one can imagine calling this function to
> > serve the website corresponding to the sni hostname.
> >
> > ok = ssl:ssl_accept(S),
> > SelectedHost = ssl:sni_hostname(S),
>
> Looking at the SSL API, it feels like a simple hostname/1 call would be
> more in line with for example peername and sockname.
>

This would be a function defined only for the server?  I like hostname!


What would be the return if SNI wasn't negotiated, some kind of default,
> a special atom (e.g. undefined or unknown) or {error, unknown} ?
>
>
Maybe inet:gethostname() could be the default? So if the connection
represents a virtual host you will get its name and otherwise you will
get the actual hostname?!


Regards Ingela Erlang/OTP team - Ericsson AB



> I recently updated the client side patch (the easier part), but need
> > some time to update the patch to work with the refactored ssl library.
> >
> > Feedbacks are welcome ! :)
>
> Andreas
>
> >
> > Regards,
> >
> > --
> > Julien Barbot
> >
> >
> > 2013/10/28 Andreas Schultz <aschultz@REDACTED>
> > >
> > > Hi,
> > >
> > > ----- Original Message -----
> > > > Hi!
> > > >
> > > > If I remember correctly someone worked on a contribution for this,
> but I
> > > > where in the middle of refactoring
> > > > things and I think it was not quite finished.
> > >
> > > Found it:
> > > http://erlang.org/pipermail/erlang-patches/2012-May/002787.html
> > >
> > > And copied the original author... would be nice to have this in R17
> > >
> > > Andreas
> > >
> > > > Since then I have not had time
> > > > to follow up on it. I think it would
> > > > not be too hard to add support for it, but it is not our priority at
> the
> > > > moment, so please feel free to contribute.
> > > > And it is quite ok to send in a "pre-patch" to get feed back on API
> > > > choices
> > > > before you make the patch conform to all patch requirements.
> > > >
> > > > Regards Ingela Erlang/OTP team - Ericssson AB
> > > >
> > > >
> > > > 2013/10/25 Sergej Jurecko < sergej.jurecko@REDACTED >
> > > >
> > > >
> > > > hello,
> > > >
> > > > Is it possible to host multiple ssl certificates for different
> domains on
> > > > a
> > > > single IP and port? Like nginx is capable of doing.
> > > >
> > > >
> > > > Sergej
> >
>
> --
> --
> Dipl. Inform.
> Andreas Schultz
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://erlang.org/pipermail/erlang-questions/attachments/20131029/c60ae347/attachment.htm>


More information about the erlang-questions mailing list